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Preface 



The Department of Homeland Security (DHS) Office of Inspector General (OIG) was established by 
the Homeland Security Act of 2002 (Public Law 1 07-296) by amendment to the Inspector General Act 
of 1978. This is one of a series of audit, inspection, and special reports prepared as part of our 
oversight responsibilities to promote economy, efficiency, and effectiveness within the department. 

The attached report presents the results of the audit of the Transportation Security Administration's 
fiscal year 2008 Mission Action Plans. We contracted with the independent public accounting firm 
KPMG LLP (KPMG) to perform the audit. The contract required that KPMG perform the audit 
according to generally accepted government auditing standards and guidance from the Office of 
Management and Budget and the Government Accountability Office. KPMG is responsible for the 
attached auditor's report and the conclusions expressed in the report. 

The recommendations herein have been discussed in draft with those responsible for implementation. 
We trust this report will result in more effective, efficient, and economical operations. We express 
our appreciation to all of those who contributed to the preparation of this report. 




Richard L. Skinner 
Inspector General 



KPMG LLP 

2001 M Street, NW 
Washington, DC 20036 



April 27, 2009 

Ms. Anne Richards 

Assistant Inspector General for Audit 

Department of Homeland Security, Office of the Inspector General 

Ms. Peggy Sherry 

Acting Chief Financial Officer 

Department of Homeland Security 

This report presents the results of our work conducted to address the performance audit objectives relative 
to the Department of Homeland Security's (DHS or the Department) Mission Action Plans (MAPs) 
developed to address the internal control deficiencies at the Transportation Security Administration. 
These deficiencies were identified by management and/or reported in the KPMG LLP (KPMG) 
Independent Auditors' Report included in the Department's fiscal year 2008 Annual Financial Report. 

This performance audit is part of a series of three performance audits that the Department's Office of 
Inspector General (OIG) engaged us to perform related to the Department's fiscal year 2009 MAPs for 
use in developing the Department's Internal Control Over Financial Reporting (ICOFR) Playbook. This 
performance audit was designed to meet the objectives identified in the Objectives, Scope, Methodology 
and Approach section of this report. Our procedures were performed using the MAPs provided to us on 
January 5, 2009. Interviews with DHS and TSA management and other testwork was performed at 
various times through April 27, 2009, and our results reported herein are as of April 27, 2009. 

We conducted this performance audit in accordance with Government Auditing Standards. Those 
standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide 
a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the 
evidence obtained provides a reasonable basis for our findings based on our audit objectives. 

This performance audit did not constitute an audit of the financial statements in accordance with 
Government Auditing Standards. KPMG was not engaged to, and did not, render an opinion on the 
Department's or TSA's internal control over financial reporting or over financial management systems 
(for purposes of OMB Circular No. A- 127, Financial Management Systems, as revised). KPMG cautions 
that projecting the results of our evaluation to future periods is subject to the risks that controls may 
become inadequate because of changes in conditions or because compliance with controls may 
deteriorate. 
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EXECUTIVE SUMMARY 



The Department has identified deficiencies in internal control over financial reporting through its annual 
assessment conducted pursuant to Office of Management and Budget (OMB) Circular No. A-123, 
Management 's Responsibility for Internal Control, and in compliance with the Federal Managers ' 
Financial Integrity Act (FMFIA). Some of the deficiencies were identified as significant deficiencies or 
material weaknesses, in the Independent Auditors' Report included in the FY 2008 DHS Annual 
Financial Report (AFR). Beginning in 2006, the Department began a comprehensive corrective action 
plan to remediate known internal control deficiencies. The plan is documented in the Internal Controls 
Over Financial Reporting Playbook (ICOFR Playbook). The Mission Action Plan (MAP) is a key 
element of the ICOFR Playbook that documents the remediation actions planned for each internal control 
deficiency at the DHS component level. The MAP provides specific actions, timeframes, key milestones, 
assignment of responsibility, and validation procedures. 

The Transportation Security Administration (TSA) developed two MAPs related to significant 
deficiencies or material weaknesses (as presented in the FY 2008 Independent Auditors' Report) 
submitted by TSA to the Department's Chief Financial Officer for inclusion in the FY 2009 ICOFR 
Playbook. The MAPs address control deficiencies identified in: 

• Financial Reporting (including Entity-Level Controls) 

• Property Management 

Objective, Scope, Methodology and Approach 

We conducted our audit in accordance with the standards applicable to such audits contained in the 
Government Auditing Standards, issued by the Comptroller General of the United States. 

The objective of this performance audit was to assess the status of prior year findings and 
recommendations made in our TSA performance audit report dated February 22, 2008. Our audit was 
performed using criteria to evaluate the MAP development process and content. The evaluation criteria 
were developed from a variety of sources including technical guidance published by OMB, the 
Government Accountability Office, and from applicable laws and regulations. We also considered DHS' 
policies and guidance, and input from the Office of Inspector General (OIG) when designing evaluation 
criteria. Our evaluation criteria were: 

• Identification (of the root cause) - Identification of the appropriate underlying root cause that is 
causing the internal control deficiency condition(s). 

• Development (of the MAP) - Clear action steps that address the root cause, and attainable and 
measurable milestones at an appropriate level of detail. 

• Accountability (for execution of the MAP) - The individual MAP owner is responsible for its 
successful implementation, ensuring that milestones are achieved and that the validation phase is 
completed. 

• Verification and validation - The MAP includes written procedures to verify successful 
implementation of the MAP, a means to track progress throughout the MAP lifecycle, and 
reporting results when complete. 

Findings and Recommendations: 

We found that TSA has prepared MAPs that address its known control deficiencies described above, and 
the MAPs were submitted timely to the Department for inclusion with the FY 2009 ICOFR Playbook. 
We noted that TSA did not remediate all prior year findings related to the performance audit. In 
particular: 

1. The Financial Reporting MAP (including Entity-Level Controls) lacks specific milestones related to 
some root causes. The Issue Description is limited to a presentation of auditors' findings. In 
addition, the MAP lacks a clear linkage from the root cause to the actions and milestones. We 
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recommend that TSA management expand the MAP to address all root causes and clearly link 
milestones to root causes. 

2. The Property Management MAP lacks a clear linkage from the root cause to the actions and 
milestones, and the Issue Description is limited to a presentation of auditors' findings. We 
recommend that TSA management expand the MAP to address all root causes, and clearly link 
milestones to root causes. 

In addition, we noted other matters during our review of the MAPs. Specifically, the Financial Reporting 
MAP did not adequately demonstrate how TSA will address the key root cause, which is a lack of 
sufficient resources. In addition, the Property MAP focuses on prospective maintenance of reconciled 
balances, and does not adequately address the steps necessary to reconcile and correct erroneous balances 
that exist currently. We recommend that TSA supplement both MAPs to address these issues. 

Our audit procedures were performed over the MAPs received on January 5, 2009, and we have not 
performed audit procedures on any modifications made to the MAPs after the start of our audit, and the 
effect of any modifications are not reflected in this report. 
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BACKGROUND 



The Department of Homeland Security (DHS) and the Transportation Security Administration (TSA) 
recognize that deficiencies in internal control exist. The internal control deficiencies are reported by DHS 
management in its annual Secretary's Assurance Statement, issued pursuant to OMB Circular No. A-123, 
Management 's Responsibility for Internal Control. The Secretary's Assurance Statement and the findings 
of the external auditor were reported in the Department's fiscal year (FY) 2008 Annual Financial Report 
(AFR). The conditions causing the internal control weaknesses are diverse and complex. Many 
conditions, which are systemic, were inherited with the legacy financial processes and IT systems in place 
at the time of the Department's formation in 2003. The evolution of the Department's mission, programs, 
component restructuring, and other infrastructure changes, has made remediation of these internal control 
weaknesses very challenging. To meet this challenge, the Department's Secretary, Chief Financial 
Officer and financial management in the DHS components adopted a comprehensive strategy to 
implement corrective actions beginning in FY 2006 and continuing into future years. 

The Office of the Chief Financial Officer (OCFO), Internal Control Program Management Office 
(ICPMO) is primarily responsible for the development and implementation of the Department's strategy 
to implement Mission Action Plans (MAPs). The ICPMO has documented its strategy and other related 
plans to remediate identified internal control deficiencies in the Internal Controls Over Financial 
Reporting Playbook (ICOFR Playbook). 

In 2006, the Department issued Management Directive 1030, Corrective Action Plans, and the 
Department enhanced its existing guidance by issuing the FY 2009 Mission Action Plan Guide (MAP 
Guide). To comply with Management Directive 1030 and the MAP Guide, TSA prepared two detailed 
MAPs to address the internal control deficiencies over Financial Reporting (including Entity-Level 
Controls) and Property Management. The control deficiencies are summarized below: 

• Entity Level Controls - TSA lacks a sufficient number of skilled accounting staff in the proper 
positions in the Financial Statements and Report Branch, did not adequately direct and review 
outside contractors, has weaknesses in communication, instruction, training, supervision and/or 
coordination with personnel outside of the Office of Financial Management, and lacks sufficient 
oversight of financial reporting functions. In addition, the organizational structure in finance and 
accounting may not be optimally aligned with its resources. 

• Financial Reporting - TSA has not followed policies and procedures consistently over supervisor 
reviews of financial statements and journal vouchers, or reviews have been ineffective. In 
addition, TSA places an inappropriate reliance on the audit as a control over financial reporting. 
TSA does not have effective procedures over review of work performed by outside contractors, 
and has not developed procedures to fully analyze the effects of its current and newly adopted 
accounting policies to ensure full compliance with generally accepted accounting principles 
(GAAP). TSA has not fully reconciled its intragovernmental balances with trading partners. 

• Property Management - TSA does not have policies and procedures in place to properly account 
for and report equipment and internal use software balances. In addition, TSA did not adopt an 
appropriate asset capitalization dollar threshold. 



OBJECTIVE, SCOPE, METHODOLOGY AND APPROACH 
Objective and Scope 

The objective of this performance audit was to assess the status of prior year findings and 
recommendations made in our performance audit report dated February 22, 2008. Our evaluation was 
performed using evaluation criteria, described in the methodology section below. We did not evaluate the 
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outcome of the MAP process or any corrective actions taken by management during our audit, and our 
findings should not be used to project ultimate results from MAP implementation. Recommendations are 
provided to help address findings identified during our performance audit. 

The MAPs subjected to our evaluation were provided to us by the DHS OCFO, on behalf of TSA, on 
January 5, 2009. The scope of this performance audit did not include procedures on any of the MAPs 
associated with other control deficiencies existing at TSA as of September 30, 2008. Our audit was 
performed between January 5, 2009 and April 27, 2009, and our results reported herein are as of April 27, 
2009. 

We have not performed audit procedures on any modifications made to the MAPs after the start of our 
audit, and the effect of any modifications are not reflected in this report. 

Methodology and Approach 

We conducted this performance audit in accordance with the standards applicable to such audits contained 
in the Government Auditing Standards, issued by the Comptroller General of the United States. Our 
methodology consisted of the following four-phased approach: 

Project Initiation and Planning - We attended meetings with the Department's OIG, OCFO, and TSA to 
review the performance audit objectives, scope, describe our approach, communicate data requests, and to 
gain an understanding of the status of TSA's 2009 MAPs. We reviewed the prior year findings and 
recommendations made by KPMG in the performance audit report dated February 22, 2008, to gain an 
understanding of the issues to be evaluated. 

Data Gathering - We performed interviews with accounting and finance management and staff at TSA 
and OCFO. Through these interviews, we gained an understanding of management's assessment of its 
remediation of the prior year performance audit findings. We conducted meetings with the Department's 
OIG to identify and agree to the criteria used to evaluate the status of the MAPs (as defined below). 

We performed reviews of key documents and supporting information provided to us by OCFO, to verify 
if the prior year finding had been remediated in the development of the FY 2009 MAPs. Our 
documentation reviews included: 

• The two TSA MAPs (i.e., the MAP Detail and Summary Reports) that were included within our 
scope, and any underlying supporting documentation provided by TSA. 

• The Notices of Findings and Recommendations (NFRs) issued during the FY 2008 financial 
statement audit by the external auditors that supported the internal control findings reported in the 
FY 2008 Independent Auditors' Report. 

• The Annual Component Head Assurance Statements provided pursuant to the requirements of 
OMB Circular A- 123. 

• The ICOFR Playbook, MD 1030, the MAP Guide, and existing internal control monitoring 
guidance (e.g., OMB Circular No. A-123). 

Analysis Using Established Criteria - Our evaluation criteria was developed from a variety of sources 
including technical guidance published by OMB, e.g., Circular A-123, the GAO, e.g. Standards for 
Internal Control in the Federal Government, and applicable Federal laws and regulations, e.g., FMFIA. 
We also considered DHS' policies and guidance, e.g. the MAP Guide and the ICOFR Playbook, and input 
from the OIG. The evaluation criteria applied to our review of the status of prior year findings were: 

• Identification (of the root cause) - Identification of the appropriate underlying root cause that is 
causing the internal control deficiency. A comprehensive analysis typically includes a full 
assessment of the business processes, data flows, and information systems that drive the 
transactions/activities associated with the accounting process where the internal control 
deficiencies are believed to exist. A thorough root cause analysis should include: 
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- Research to discover why, when, how the condition occurred - what went wrong and why? 

- Investigation to determine if the problem is design or execution, or both. 

- An evaluation to determine if IT system functionality is contributing to the problem and if IT 
system modifications could be part of the remediation. 

- An evaluation of internal controls, including the existence of compensating controls that may 
mitigate the deficiency. 

• Development (of the MAP) - The MAP includes action steps that address the root cause, and 
attainable and measurable milestones at an appropriate level of granularity. Milestones should 
enable independent analysis of a MAP's effectiveness in remediation of root causes and provide 
MAP users with insight on the status of the MAP's implementation. For example, the MAP 
should enable a user to determine if the appropriate level of resources to execute a milestone is 
available and to identify potential missing elements in milestones (e.g. a contractor may be needed 
before a specific milestone can be achieved). 

• Accountability (for execution of the MAP) - Accountability for the MAP is clearly identified and 
assigned. The individual MAP owner is responsible for its successful implementation, ensuring 
the achievement of milestones and validation of results. 

• Verification and Validation - The MAP includes written procedures that verify successful 
implementation of the MAP, a means to track progress throughout the MAP lifecycle, and 
reporting results when complete. These activities should include documentation reviews, work 
observations, and performance testing that is maintained for internal OMB A- 123 review and 
external audit. 

Findings and Recommendations - After conducting our audit, we formulated our findings and 
recommendations. The findings are areas that TSA did not fully remediate prior year performance audit 
findings, and represent areas for potential improvement that could negatively affect TSA's remediation of 
the significant deficiencies and/or material weaknesses if the MAP is performed as designed. 

FINDINGS AND RECOMMENDATIONS 

Findings: 

TSA prepared and submitted MAPs to the OCFO as instructed in the MAP Guide. The MAPs address 
each of the three primary processes where significant deficiencies and material weaknesses existed at the 
end of FY 2008. (Note: The financial reporting and entity-level controls processes were combined into 
one MAP.) Based on our inquiry with TSA personnel, we determined that TSA was knowledgeable of 
the MAP Guide, performed a review to determine the source and cause of the control deficiencies, and 
incorporated the results into the individual MAPs in the form of milestones. We applied the prior year 
performance audit findings to the FY 2009 MAPs to determine if the findings were remediated in the 
development of the FY 2009 MAPs. 

The chart below identifies the status of prior year findings. Further information is provided in the 
footnotes below. 




All the MAPs do not adequately define the control deficiencies being corrected and/or the 
purpose of the MAP. The Issue Description section does not clearly define the underlying 
issues or problems that were identified during the root cause analysis, or lead the reader to 
the corrective actions (e.g., milestones). In some cases, known problems do not have 
corresponding milestones. 


Repeated 


A 


The financial statement assertion sections of the MAPs were not complete at the time of 
our audit, and consequently, the MAP milestones are not linked to the financial statement 


Resolved 
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assertions (e.g., completeness, accuracy, and existence) affected by the control weaknesses. 






The milestone steps are not clearly linked to root causes. As a result, we could not 
determine how the milestones related to the issues identified and root causes, or if the 
milestones listed in the TSA MAP sufficiently addressed all root causes and corresponding 
control deficiencies. 


Repeated 


B 


Although not required by the DHS MAP Guide, critical interdependencies are not 
identified within each MAP and affected milestones. Specifically, interdependencies 
between milestones, between accounting processes, and with third parties should be 
identified and addressed. 


Partially 
Repeated 


C 


The verification and validation (V&V) process is not consistently documented across each 
MAP. While general V&V procedures have been developed that apply to all MAPs and 
three of the MAPs include specific V&V procedures, the Employee Accrued Leave MAP 
does not include specific V&V procedures to test whether milestones have been 
successfully implemented. Instead, it includes outcomes that, if achieved, will indicate that 
corrective actions have been implemented. In addition, the V&V process is deferred until 
the end of the MAP instead of incrementally throughout the MAP process. However, 
preliminary testing procedures are performed on an ad-hoc basis. For those milestones in 
which preliminary testing procedures are not performed, validation is limited to a weekly 
review of the milestone progress. 


Partially 
Repeated 


D 



References 

A - This finding is repeated in the FY 2009 MAPs. We noted that the Issue Description section in both 
MAPs under review are limited to a presentation of the auditors' findings, and the root cause analyses are 
not clearly linked to the issue descriptions. Consequently, it is difficult to determine if all root causes are 
addressed through the issue description, and subsequently, through the milestones. In addition, we noted 
that the Financial Reporting MAP did not identify the issues related to reconciliation of intragovernmental 
balances in the Issue Description. 

B - This finding is repeated in the FY 2009 MAPs. The milestone steps in both MAPs under review are 
not clearly linked to root causes. Therefore, it is difficult to determine how the milestones related to the 
issues identified and root causes, or if the milestones sufficiently addressed all root causes and 
corresponding control deficiencies. We noted that the Financial Reporting MAP lacks specific milestones 
related to some root causes. For example, one identified root cause is the lack of people dedicated to 
financial reporting; however, there are no actions planned to address this. In addition, there are no 
specific actions planned to address the need for close and effective supervisory review of staff and 
contractors, other than the development of Standard Operating Procedures to include roles and 
responsibilities. 

C - This finding is partially repeated in the FY 2009 MAPs. TSA identified dependencies to other MAPs 
in the MAP Summary reports on a high level. However, interdependencies are not identified within 
affected milestones or root causes. Full remediation of TSA's control deficiencies may require the 
correction of other related control deficiencies, and/or advances made by other components in correcting 
their material weaknesses. 

D - This finding is partially repeated in the FY 2009 MAPs. Verification and validation procedures 
appear appropriate as written; however, with expansion of the MAPs as noted above, additional V&V 
steps will be required, especially regarding supervisory reviews of staff and contractors. In addition, the 
V&V steps should be included in the milestones, with accountability and due dates assigned. 
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Other Matters 



Although not directly linked to a prior year finding, we noted additional matters for consideration. 

As noted in B above, the Financial Reporting MAP does not fully address the primary root cause of the 
material weakness, which is a lack of skilled resources or optimal deployment of current financial 
management. 

In addition, although the Property MAP adequately describes the need for new processes, it does not fully 
address how TSA will update or redesign processes, procedures, and controls surrounding the new 
policies. The Property MAP is focused on prospective maintenance of reconciled balances. It does not 
adequately address the steps necessary to reconcile and correct the erroneous balances that currently exist. 
In order to be effective, the MAP should be divided into two parts: (1) the remediation of existing issues, 
and (2) the need for new policies, processes, and controls to maintain reconciled balances. 

Cause: 

The conditions noted above are due to a lack of a detailed and thorough analysis and review of the MAPs. 
The interdependency finding is due to the DHS MAP Guide not requiring interdependencies to be 
identified between specific milestones or root causes. 

Effect: 

The documentation issues noted above limit a reviewer from determining the effectiveness of the MAPs 
without performing a more detailed review or discussion with TSA management. In addition, it could 
result in ineffective MAPs that may not fully remediate the control deficiencies. The "Other Matters" 
noted above could result in the material weaknesses not being fully remediated. 

Recommendations: 

We recommend that TSA: 

1. Continue to implement the prior year recommendations in developing its MAPs, contained in OIG 
Report No. 08-74, Independent Auditors ' Report on TSA 's FY 2008 Mission Action Plans. 

2. Financial Reporting and Entity-Level Controls: 

a. Expand the MAP by adding milestones to address all root causes. In particular, include action 
items related to: 

i) Organizational issues related to sufficiency of skills and resources; 

ii) Need for revised policies and processes for review and supervision of staff and contractors. 

b. Expand the verification and validation procedures for the additional milestones noted above. In 
addition, ensure that V&V steps are assigned to an accountable person with due dates clearly 
defined. 

3. Property Management: 

a. Expand the MAP by adding milestones to address the steps necessary to reconcile and correct the 
erroneous balances that currently exist. We recommend that the MAP be split into two parts: (1) 
remediation of existing issues; and (2) implementation of new policies, processes, and controls to 
maintain reconciled balances. 

b. Expand the MAP by adding milestones to address the need to update/redesign processes, 
procedures, and controls around the new policies that are identified. 

c. Expand the verification and validation procedures for the additional milestones noted above. In 
addition, ensure that V&V steps are assigned to an accountable person with due dates clearly 
defined. 
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MANAGEMENT RESPONSE TO REPORT 

Management has prepared an official response presented as a separate attachment to this report. In 
summary, management agreed with our findings and its comments were responsive to our 
recommendations. We did not audit management's response and, accordingly, we express no opinion on 
it. 



Audit of DHS' Mission Action Plans - TSA 
10 



KEY DOCUMENTS AND DEFINITIONS 



This section provides key definitions and documents for the purposes of this report. 

The Federal Managers ' Financial Integrity Act (FMFIA) requires that Executive Branch Federal agencies 
establish and maintain an effective internal control environment according to the standards prescribed by 
the Comptroller General. Those standards are published in the Government Accountability Office's 
(GAO) Standards for Internal Control in the Federal Government. In addition, it requires the head of the 
agency to annually evaluate and report on the adequacy of the agency's systems of internal accounting 
and administrative control. 

GAO's Standards for Internal Control in the Federal Government (Standards) defines internal control as 
an integral component of an organization's management that provides reasonable assurance of: 
effectiveness and efficiency of operations, reliability of financial reporting, and compliance with 
applicable laws and regulations. 

The Department of Homeland Security Financial Accountability Act (the DHS FAA) brought the Chief 
Financial Officer (CFO) for DHS under the Chief Financial Officers Act, thus making the DHS CFO a 
Presidentially appointed position requiring Senate confirmation. Furthermore, the DHS FAA requires 
that an audit opinion of the internal controls over financial reporting be included in the Department's 
Performance and Accountability Report. 

Office of Management and Budget (OMB) Circular No. A-123, Management's Responsibility for Internal 
Control, provides guidance on internal controls and requires agencies and Federal managers to 1) develop 
and implement internal controls; 2) assess the adequacy of internal controls; 3) separately assess and 
document internal control over financial reporting; 4) identify needed improvements; 5) take 
corresponding corrective action; and 6) report annually on internal controls. The successful 
implementation of these requirements facilitates compliance with both FMFIA and the Chief Financial 
Officers Act. 

Office of Management and Budget (OMB) Circular No. A- 127, Financial Management Systems, 
prescribes policies and standards for executive departments and agencies to follow in developing, 
operating, evaluating, and reporting on financial management systems. The successful implementation 
of these requirements facilitates compliance with both FMFIA and the Chief Financial Officers Act. 

Internal Control Deficiencies - A control deficiency exists when the design or operation of a control 
does not allow management or employees, in the normal course of performing their assigned functions, 
to prevent or detect misstatements on a timely basis. A significant deficiency is a control deficiency, or 
combination of control deficiencies, that adversely affects DHS' ability to initiate, authorize, record, 
process, or report financial data reliably in accordance with U.S. generally accepted accounting 
principles such that there is more than a remote likelihood that a misstatement of DHS' financial 
statements that is more than inconsequential will not be prevented or detected by DHS' internal control 
over financial reporting. A material weakness is a significant deficiency, or combination of significant 
deficiencies, that results in more than a remote likelihood that a material misstatement of the financial 
statements will not be prevented or detected by DHS' internal control. 

Management Directive (MP) 1030, Corrective Action Plans , establishes DHS' vision and direction on the 
roles and responsibilities for developing, maintaining, reporting, and monitoring CAPs (i.e., MAPs) 
specific to the DHS FAA, FMFIA, and related OMB guidance. In addition to roles and responsibilities, 
MD 1030 outlines the policies and procedures related to the CAP process. The organizational structure 
detailed in MD 1030 encompasses employees at all components and offices. 

The Internal Controls Over Financial Reporting (ICOFR) Playbook (ICOFR Playbook) was developed 
by the OCFO, Internal Control Program Management Office, to design and implement department-wide 
internal controls, pursuant to the DHS FAA, OMB Circular No. A-123, and FMFIA. Per the Executive 
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Summary in the FY 2008 ICOFR Playbook, the Playbook outlines the Department's "strategy to design 
and implement an effective internal control system to support the mission, eliminate material weaknesses, 
and build management assurances." On an annual basis, the ICOFR Playbook is updated by the OCFO to 
enhance its existing guidance, as necessary, and establish action plan milestones, which will be monitored 
by the OCFO throughout the year. One component of the ICOFR Playbook includes MAPs developed by 
the Department and its components to correct material weakness conditions and document 
accomplishments and progress (according to the FY 2008 Playbook). 

The Mission Action Plan Guide, Financial Management Focus Areas Fiscal Year 2008 (MAP Guide) 
outlines the policies and procedures to be used to develop MAPs throughout DHS, pursuant to the roles 
and responsibilities established by the DHS Management Directive (MD) 1030, Corrective Action Plans. 
The MAP Guide applies to all Department Components and Offices (e.g., OCFO) where a control 
deficiency has been identified. Note non-conformances related to the Federal Information Security 
Management Act (FISMA), are under the purview of the Department's Chief Information Security 
Officer 's Plan of Action and Milestones (POA&M) Process Guide. 

Electronic Program Management Office (ePMO) is a Web-based software application the OCFO 
deployed to manage the collection and reporting of MAP information. 

Mission Action Plans (MAPs), as defined in the MAP Guide, are documents prepared to facilitate the 
remediation of internal control deficiencies identified by management or by external parties. MAP 
documentation, as described in detail in the MAP Guide, includes a MAP Summary Report and a MAP 
Detailed Report that are required to be submitted to the OCFO through ePMO. Below are brief 
descriptions of the MAP Summary and MAP Detailed Reports, based on the ePMO MAP Reports Quick 
Guide contained in the MAP Guide: 

• The MAP Summary Report contains sections to describe the issue (e.g. internal control deficiency 
conditions), results of the root cause analysis performed, relevant financial statement assertions 
affected by the issue, key strategies and performance measures, resources required, an analysis of 
the risks and impediments as seen by management, verification and validation methods, and the 
critical milestones to be achieved. 

• The MAP Detailed Report provides additional data on the milestones, not only on those identified 
as critical but also those sub-milestones under a critical milestone. For each milestone (critical or 
sub), the following data is reflected: due date, percentage of completion, status (e.g., Not Started, 
Work in Progress and Completed), and the responsible and assigned parties. 

The Department's Annual Financial Report (DHS AFR) was published on November 17, 2008 and 
consists of the Secretary's Message, Management's Discussion and Analysis, Financial Statements and 
Notes, an Independent Auditors' Report, Major Management Challenges, and other required information. 
The AFR was prepared pursuant to OMB Circular A- 136, Financial Reporting Requirements . 
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V.S. Department of Homeland Security 



Office of Finance and Administration 
601 Smith 12"' Street. TSA- 14 
Arlington. Virginia 20598-6014 




ffiyfe Transportation 
KSfiWt Security 

Administration 



'MAY 6 200^ 



Ms. Anne L. Richards 
Assistant Inspector General for Audits 
Department of Homeland Security 
245 Murray Drive SW, Building 410 
Washington, DC 20528 

Dear Ms. Richards: 

This letter responds to KPMG's audit of the Transportation Security Administration 
(TSA) Fiscal Year (FY) 2009 Mission Action Plans (MAPs) as reported in the Draft 
Report: Independent Auditor 's Report on TSA 's FY 2008 Mission Action Plans included 
in DHS FY 2009 ICOFR Playbook dated April 2009. The report discusses TSA's 
development of two MAPs to correct internal control deficiencies over financial reporting. 

TSA concurs with KPMG's findings. We have revised our MAPs based on the 
recommendations as noted in the report. Please express my appreciation to your staff and 
the KPMG team for their efforts in completing this audit. 




Sincerely 



David R. Nicholson 
Assistant Administrator and Chief Financial Officer 
Office of Finance and Administration 
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